URL Monitor - Cant Establish SSL Trust

Topics: Developer Forum, User Forum
Mar 19, 2008 at 7:49 PM
Hi,

I have a number of web servers that I would like to check via the URL (HTML) monitor. These servers only accept SSL connections and are part of a web farm. Normally they are accessed via a URL along the lines of https://www.mysite.com. The certificate subject name they use is www.mysite.com. When accessing via that alias I can hit any of the servers in the farm dependant on how the load balancing is working.

For monitoring purposes I want to be able to query each server directly by its server name i.e. https://server1.mysite.com. My servers respond to these requests, however as expected they present a certificate warning saying that the name on the cert doesnt match the name of the site.

When trying to monitor these servers directly by server name, PolyMon reports the error "Fail. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure secure" - presumably because of the name mismatch. Is there a way to tell PolyMon to ignore this condition and continue testing anyway?

Cheers,
Mar 19, 2008 at 9:03 PM
Edited Mar 27, 2008 at 9:02 PM
Update 3/27/2008: I realized I was missing the Certificate Policy object from my code. I also wanted to warn everybody that in may be quite a while before I will get around to converting that VB code below to PowerShell anytime soon.

I have to handle this same situation. If it helps any, I have a bit of VB.Net code that reveals the magic incantation that causes System.Net.HttpWebRequest to ignore all certificate errors. When I get a free minute I would like to convert this to PowerShell. In the mean time, this is what I have...

The refactored certificate handling object
Public Class MyPolicy
  Implements System.Net.ICertificatePolicy
  Public Function CheckValidationResult(ByVal srvPoint As System.Net.ServicePoint, _
                ByVal cert As System.Security.Cryptography.X509Certificates.X509Certificate, ByVal request As System.Net.WebRequest, _
                ByVal certificateProblem As Integer) _
            As Boolean Implements System.Net.ICertificatePolicy.CheckValidationResult
    'Return True to force the certificate to be accepted.
    Return True
  End Function
End Class

Dim URL As String
URL = "https://server1.domain.com/"
 
' This next line essentially says let the above object handle the certificate.
System.Net.ServicePointManager.CertificatePolicy = New MyPolicy()
 
Dim req As System.Net.HttpWebRequest = System.Net.WebRequest.Create(URL)
 
' Set the timeout to 1 second (or 1,000 milliseconds)
req.Timeout = 5000
 
Try
	Dim resp As System.Net.HttpWebResponse = req.GetResponse()
Catch
	' Queitly Ignore Any Errors or handle specific errors here)
End Try


And here is a bit of PowerShell script that shows a web request wrapped in a timer that I use to populate a PolyMon counter.

$URI = New-Object System.Uri("https://server1.domain.com/")
$Timer = Measure-Command {$WebStream = (new-object net.webclient).OpenRead($URI)}
Mar 24, 2008 at 11:14 PM

TreeStryder wrote:
I have been meaning to rewrite one of my PowerShell scripts that tests our secure web servers to handle this same situation.

If it helps any, I have a bit of VB.Net code that reveals the magic incantation that causes System.Net.HttpWebRequest to ignore all certificate errors. When I get a free minute I'll convert this to PowerShell and try to post it here.



Cheers for that.

-Gav.
Oct 3, 2008 at 1:01 PM
Edited Oct 3, 2008 at 1:35 PM

A while back I said I wanted to work up a Powershell way to ignore SSL errors when making HTTP calls, luckily someone did my work for me...

http://poshcode.org/624

They are compiling C# code on the fly, much more involved than I suspected.


Oct 10, 2008 at 1:28 PM
There has been an update to the Powershell function:

http://poshcode.org/634